On 13-12-19 15:00, Rob Crittenden wrote: > Kees Bakker wrote: >> On 06-11-19 17:16, Rob Crittenden wrote: >>> Kees Bakker via FreeIPA-users wrote: >>>> Thanks Rob >>>> >>>> Here are my findings, mainly as an FYI. >>>> >>>> On the CA master it reports the following (which I have to investigate) >>>> [ >>>> { >>>> "source": "ipahealthcheck.ipa.certs", >>>> "kw": { >>>> "msg": "Unknown certmonger id 20190412141828", >>>> "key": "20190412141828" >>>> }, >>>> "uuid": "f3d6ccb9-fb82-49ac-aa02-f485d08826c3", >>>> "duration": "0.980984", >>>> "when": "20191106095349Z", >>>> "check": "IPACertTracking", >>>> "result": "WARNING" >>>> } >>>> ] >>> To see what the request is run: >>> >>> # getcert list -i 20190412141828 >>> >>> It may be perfectly fine, it is acceptable to track other certs on the >>> master, it is just unexpected so healthcheck is warning about it. >>> >> >> The warning is for a cert that I created for a FreeRADIUS server (which >> I never actually managed to get working). >> >> The warning is a bit annoying because the cert is alright, I think. It is >> listed with "status: MONITORING". >> So, I think that the cert is not unknown to certmonger, despite what the >> error suggests. >> >> I am considering to create another cert for some other service, in the same >> manner as I did for freeRADIUS. That new cert would then also be flagged with >> a warning. >> > > This particular check isn't verifying whether the cert is ok. It is > checking that the tracking for the standard IPA certs is done correctly. > > If there are additional certs it has no way to know to validate them so > warns instead. We discourage running additional software on an IPA > master. Using a master to manage a cert is probably fine but is a grey > area. I chose to warn as a heads-up, to keep a paranoid stance of > warning on anything unexpected.
Ah, I see. So, I better not do that then. > > I have an idea to create an ignore list but it probably won't see the > light of day for a while. > > This is good feedback, thanks. Likewise.
pEpkey.asc
Description: application/pgp-keys
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org